The security of computing resources and associated data is of high importance in many contexts. As an example, organizations often utilize networks of computing devices to provide a robust set of services to their users. Networks often span multiple geographic boundaries and connect with other networks. An organization, for example, may support its operations using both internal networks of computing resources and computing resources managed by others. Computers of the organization may communicate with computers of other organizations to access and/or provide data while using services of another organization. In many instances, organizations configure and operate remote networks using hardware managed by other organizations, thereby reducing infrastructure costs and achieving other advantages. With such configurations of computing resources, ensuring that access to the resources and the data they hold is secure can be challenging, especially as the size and complexity of such configurations grow.
One of the endemic problems in storage encryption is that the amount of data stored can be quite large, and can require storage over a long period of time. Due to the length of time the data is stored, it is important that security is managed properly over that time. Any mistake in security management can be difficult to correct due to the sheer volume of data that is stored. Further, the need to decrypt and re-encrypt large volumes of data can require a significant amount of resources. Various approaches have introduced key rotation for securing data, where the key used to access specific data will change over time. Such a change has to happen relatively quickly, however, in order to avoid problems with certain portions of the data being secured with the old key while other portions have been switched over to the new key. Certain approaches attempt to obfuscate the key used for encryption, such as by providing a wrapper for the key such that the wrapper can be changed to manage the security change. Difficulties can arise, however, when a customer does not have access to the new wrapper for the current key.